Bug 652860 - (CVE-2010-4167) CVE-2010-4167 ImageMagick: configuration files read from $CWD may allow arbitrary code execution
CVE-2010-4167 ImageMagick: configuration files read from $CWD may allow arbit...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20101030,reported=2...
: Reopened, Security
Depends On: 653577 767142 796844 796845
Blocks: 742493
  Show dependency treegraph
 
Reported: 2010-11-12 20:14 EST by Vincent Danen
Modified: 2015-11-24 09:50 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 10:49:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-11-12 20:14:50 EST
A Debian bug report [1] indicated that ImageMagick would load configuration files from the current working directory, rather than just standard directories like ~/.magick/ or /usr/lib/ImageMagick-*/config/.  If a user were to run certain ImageMagick programs, like the convert utility, from untrusted directories it could allow for the execution of arbitrary code as the user running the program.

Upstream has corrected [2] this flaw is noted as being fixed in the 6.6.5-5 ChangeLog [3].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824
[2] http://trac.imagemagick.org/changeset?new=3022%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c&old=2002%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c
[3] http://trac.imagemagick.org/browser/ImageMagick/trunk/ChangeLog
Comment 1 Vincent Danen 2010-11-12 20:22:58 EST
The Debian bug report has some sample files used to demonstrate the problem.  I've reproduced this on Fedora using those sample files, but not on RHEL4 or 5.  Looking at strace output from ImageMagick on RHEL5, it's definitely opening files in $CWD, but is not parsing these XML files (perhaps they are in a different format than the older ImageMagick expected or there is something else preventing the execution, I didn't spend much time poking at it).

open("/usr/share/ImageMagick-6.2.8/config/delegates.xml", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/usr/share/doc/ImageMagick-6.2.8/delegates.xml", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/usr/share/ImageMagick-6.2.8/delegates.xml", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/home/vdanen/.magick/delegates.xml", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("delegates.xml", O_RDONLY|O_LARGEFILE) = 3
_llseek(3, 0, [105], SEEK_END)          = 0


The upstream patch does apply, with fuzz, to RHEL5 at least.
Comment 2 Kurt Seifried 2010-11-13 01:52:12 EST
The vulnerable code is in configure.c (line 722) in ImageMagick-6.2.8.0-4.el5_5.3.src.rpm, I would assume it's in the updates as well.
Comment 3 Vincent Danen 2010-11-15 12:49:04 EST
This has been assigned the name CVE-2010-4167.
Comment 4 Vincent Danen 2010-11-15 12:53:12 EST
Created ImageMagick tracking bugs for this issue

Affects: fedora-all [bug 653577]
Comment 6 Pavel Alexeev 2010-11-17 06:18:38 EST
If it low impact and fixed upstream may it be closed as UPSTREAM?

And when I'll push next update it will fix it automatically.
Comment 7 Vincent Danen 2010-11-17 17:17:42 EST
(In reply to comment #6)
> If it low impact and fixed upstream may it be closed as UPSTREAM?
> 
> And when I'll push next update it will fix it automatically.

You could do that for the Fedora tracker, but we'd prefer if the bug was actually closed when an update is pushed to Fedora.

As this also affects RHEL, and will not be fixed automatically with a Fedora update, this bug cannot be closed until it is addressed in RHEL.
Comment 8 Pavel Alexeev 2010-11-28 10:54:32 EST
In rawhide new version 6.6.5.10 which shouldn't be affected.
Comment 9 Pavel Alexeev 2011-06-24 01:30:47 EDT
No answer. I Assume problem fixed.
Comment 10 Josh Bressers 2011-07-18 14:45:39 EDT
This bug should not be closed.
Comment 11 Pavel Alexeev 2011-07-31 16:05:21 EDT
Why?
Comment 12 Tomas Hoger 2011-08-01 02:59:11 EDT
There are affected ImageMagick versions in RHEL that are planned to be corrected in some future update (as was previously explained in comment #7).  Feel free to un-CC yourself if you only care about Fedora package, which you've dealt with already.  Thank you.
Comment 15 errata-xmlrpc 2012-02-20 22:09:20 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0301 https://rhn.redhat.com/errata/RHSA-2012-0301.html
Comment 18 errata-xmlrpc 2012-05-07 14:51:19 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0544 https://rhn.redhat.com/errata/RHSA-2012-0544.html
Comment 19 Vincent Danen 2015-08-22 10:49:50 EDT
Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.